Defense

Lessons learned from DOD's bug bounty programs

virus bug in program code By pixeldreams.eu Royalty-free stock illustration ID: 85711637 

The Marines Corps Cyber Command just completed its month-long bug bounty program, which yielded more than 100 previously unknown vulnerabilities.

Security researchers scanned more than 200 public websites and found 150 vulnerabilities, according to results released Oct. 3. The bounty was part of the Hack the Pentagon program conducted with HackerOne. It is one of 11 bounty programs the Defense Digital Service has facilitated since 2016. As successful as the bounties have been, there's more work to be done.

Alexander Romero, digital service expert with the Defense Digital Service told FCW following a Government CIO event Oct. 4 that he wants to broaden the bug bounty program even further.

"My whole thing is trying to increase the scope of these bounties as much as possible," Romero said. "So we're trying to go to remote applications, websites, systems to really bring that whole methodology to more than just websites," he said, hinting at a new slate of capabilities Defense Digital Service is preparing to release.

While he didn't speak to specific vulnerabilities, Romero said the bounty programs, including the latest with the Marines, have had some surprising takeaways such as the volume of reports, where the weak spots were found, and how the diverse backgrounds of researchers improved the quality of reports.

"The varying perspectives from all the researchers -- they all bring something different," he said. "They were all brought up a certain way … and that makes them see the world and systems in that perspective."

Those perspectives led to unique discoveries of vulnerabilities through atypical avenues.

"Some of the applications are tied into systems in such a way that is unexpected, like from a website that you could get to something else more internal on a network. From a public partner site to internal networks and things that should not be publicly exposed, sensitive systems," Romero said, adding that he couldn't give too much detail on the vulnerabilities found.

But as successful as the bounty programs have been, mitigation is still a concern after the researchers leave.

"A lot of organizations have a certain budget set aside for after the bounty to try to fix things, but what we're finding is that maybe [the bounties alone] aren't enough," Romero said.

"It's going take more data probably to figure out," he said. "When we run $100,000 bounty, should we also set aside $30,000 for the fixes? It's really dependent on the system, what technologies we're using," he added. "But sometimes the support isn't there or the contractor who made the system is gone, and those are difficult problems."

The Defense Digital Service is largely a facilitator for these programs, but there's an indication that agencies may need more help from the services to address vulnerabilities after they're found.

"The original intent wasn't for DDS to manage the Hack the Pentagon program, but we found that it was beneficial to bring in our expertise, to hand-hold, initially," Romero said.

The goal is to get the services to a place where they can lead their own bounty programs "because that's the only way to scale this. My time is limited, DDS' time is limited," he said.

Adapting a bounty hunting program on the fly is hard to do if it's your first time running one.

Romero said it's possible to expand the scope on the fly, adding in parts of a network that weren't initially considered, but it's hard to do that when people have never run a bounty program before.

"Someone can come from the side and completely take out your application," he said. "The front door might be really well locked, but the side and the back doors are open, or they come through the ground," he said with a laugh.

About the Author

Lauren C. Williams is a staff writer at FCW covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at lwilliams@fcw.com, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.


Featured

  • FCW Perspectives
    human machine interface

    Your agency isn’t ready for AI

    To truly take advantage, government must retool both its data and its infrastructure.

  • Cybersecurity
    secure network (bluebay/Shutterstock.com)

    Federal CISO floats potential for new supply chain regs

    The federal government's top IT security chief and canvassed industry for feedback on how to shape new rules of the road for federal acquisition and procurement.

  • People
    DHS Secretary Kirstjen Nielsen, shown here at her Nov. 8, 2017, confirmation hearing. DHS Photo by Jetta Disco

    DHS chief Nielsen resigns

    Kirstjen Nielsen, the first Homeland Security secretary with a background in cybersecurity, is being replaced on an acting basis by the Customs and Border Protection chief. Her last day is April 10.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.